On Tue, Oct 03, 2006 at 02:13:50PM -0700, Digant C Kasundra wrote:
> Hello,
>
> Has anyone come up with an iptables type? We''re currently
managing
> fragments and then running a script to compile them into a complete
> iptables file, but that''s a bit hackish.
I am planning to use templates to manage iptables but I haven''t done
anything yet beyoned some proof of concept code.
The idea is to use (for RHEL) something like:
file {
path => "/etc/sysconfig/iptables",
.....
content => template("iptables.erb")
}
And in the template something like:
<% if scope.classlist.include?("http_server") then -%>
-A PUPPET-INPUT -p tcp -m tcp --dport 80 -j ACCEPT
<% end -%>
<% if scope.classlist.include?("ssh") then -%>
-A PUPPET-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
<% end -%>
or
<% if scope.tags.include?("......") then -%>
...
<% end -%>
for each service. I am not too happy about it but I can not
think anything better and I am not going to need anything more
than 10-20 types of servers in my current system so I can live
with having to edit iptables.erb every time I add something new.
Kostas Georgiou